feat: replace scc gcloud provisioner with native resource (#514)

* replace scc configure gcloud to Terraform resource

* fix the format

* format

* add readme

Author: ericyz

1-org/envs/shared/README.md

@@ -52,7 +52,7 @@
 | restricted\_net\_hub\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the restricted net hub project. | `string` | `null` | no |
 | restricted\_net\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the restricted net hub project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | restricted\_net\_hub\_project\_budget\_amount | The amount to use as the budget for the restricted net hub project. | `number` | `1000` | no |
-| scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state=\\\"ACTIVE\\\""` | no |
+| scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
 | scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
 | scc\_notifications\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the SCC notifications project. | `string` | `null` | no |
 | scc\_notifications\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the SCC notifications project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |

1-org/envs/shared/scc_notification.tf

@@ -29,28 +29,13 @@ resource "google_pubsub_subscription" "scc_notification_subscription" {
   project = module.scc_notifications.project_id
 }
 
-module "scc_notification" {
-  source  = "terraform-google-modules/gcloud/google"
-  version = "~> 1.1.0"
+resource "google_scc_notification_config" "scc_notification_config" {
+  config_id    = var.scc_notification_name
+  organization = var.org_id
+  description  = "SCC Notification for all active findings"
+  pubsub_topic = google_pubsub_topic.scc_notification_topic.id
 
-  additional_components = var.skip_gcloud_download ? [] : ["alpha"]
-
-  create_cmd_entrypoint = "gcloud"
-  create_cmd_body       = <<-EOF
-    scc notifications create ${var.scc_notification_name} --organization ${var.org_id} \
-    --description "SCC Notification for all active findings" \
-    --pubsub-topic projects/${module.scc_notifications.project_id}/topics/${google_pubsub_topic.scc_notification_topic.name} \
-    --filter "${var.scc_notification_filter}" \
-    --project "${module.scc_notifications.project_id}" \
-    --impersonate-service-account=${var.terraform_service_account}
-EOF
-
-  destroy_cmd_entrypoint = "gcloud"
-  destroy_cmd_body       = <<-EOF
-  scc notifications delete organizations/${var.org_id}/notificationConfigs/${var.scc_notification_name} \
-  --impersonate-service-account ${var.terraform_service_account} \
-  --project "${module.scc_notifications.project_id}" \
-  --quiet
-  EOF
-  skip_download          = var.skip_gcloud_download
+  streaming_config {
+    filter = var.scc_notification_filter
+  }
 }

1-org/envs/shared/variables.tf

@@ -81,7 +81,7 @@ variable "skip_gcloud_download" {
 variable "scc_notification_filter" {
   description = "Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter"
   type        = string
-  default     = "state=\\\"ACTIVE\\\""
+  default     = "state = \"ACTIVE\""
 }
 
 variable "parent_folder" {

1-org/envs/shared/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.50"
+      version = ">= 3.77"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.50"
+      version = ">= 3.77"
     }
   }
 

3-networks/modules/hierarchical_firewall_policy/README.md

@@ -0,0 +1,17 @@
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| associations | Resources to associate the policy to | `list(string)` | n/a | yes |
+| name | Hierarchical policy name | `string` | n/a | yes |
+| parent | Where the firewall policy will be created (can be organizations/{organization\_id} or folders/{folder\_id}) | `string` | n/a | yes |
+| rules | Firewall rules to add to the policy | <pre>map(object({<br>    description             = string<br>    direction               = string<br>    action                  = string<br>    priority                = number<br>    ranges                  = list(string)<br>    ports                   = map(list(string))<br>    target_service_accounts = list(string)<br>    target_resources        = list(string)<br>    logging                 = bool<br>  }))</pre> | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| id | n/a |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->